Description:

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS

Rationale:

To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.

Impact:

Deny HTTP requests according to the S3 bucket policy.

Default value:

By default, Amazon S3 allows both HTTP and HTTPS requests.

Pre-Requisite:

S3 bucket

Remediation:

Test Plan:

  • AWS Console Process

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 

  2. Click on the bucket name you want to open. 

  3. Click on 'Permissions', then Click on Bucket Policy. 

  4. Make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key "aws:SecureTransport": "false".
  5. Ensure that a policy is listed that matches:
  6. '{ "Sid": <optional>, 

    "Effect": "Deny",

    "Principal": "*",

    "Action": "s3:*",

    "Resource": "arn:aws:s3:::<bucket_name>/*",

    "Condition": {

    "Bool": {

    "aws:SecureTransport": "false"

    }'


Using AWS CLI:


List all of the S3 Buckets 

aws s3 ls

Using the list of buckets run this command on each of them

aws s3api get-bucket-policy --bucket | grep aws:SecureTransport

 

Implementation Plan:


  • AWS Console Process

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 

  2. Click on the bucket name you want to open. 

  3. Click on 'Permissions', then click on edit in Bucket Policy.   

  4. Add this to the existing policy filling in the required information.
  5. '{ "Sid": <optional>, 

    "Effect": "Deny",

    "Principal": "*",

    "Action": "s3:*",

    "Resource": "arn:aws:s3:::<bucket_name>/*",

    "Condition": {

    "Bool": {

    "aws:SecureTransport": "false"

    }'
  6. Click on save changes.



Using the AWS Policy Generator:

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 

  2. Click on the bucket name you want to open. 

  3. Click on 'Permissions', then click on edit in Bucket Policy.  

  4. Click on Policy Generator at the bottom of the Bucket Policy Editor.   

  5. Select Policy Type: S3 Bucket Policy 
  6. Add Statements.  Effect = Deny, Principal = *, AWS Service = Amazon S3, Actions = *, Amazon Resource Name = <ARN of S3 bucket> and click add statement.
  7. Click on generate policy to generate the S3 policy.
  8. Copy the generated policy and paste it in the bucket policy section.
  9. Click on save changes.



Using AWS CLI

Export the bucket policy to a JSON file.

aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json 

Modify the policy.json file by adding in this statement: 

'{ "Sid": <optional>, 

"Effect": "Deny",

"Principal": "*",

"Action": "s3:*",

"Resource": "arn:aws:s3:::<bucket_name>/*",

"Condition": {

"Bool": {

"aws:SecureTransport": "false"

}'


Apply the modified policy back to the S3 bucket.

aws s3api put-bucket-policy --bucket <bucket-name> --policy file://policy.json

Backout Plan:

  • AWS Console Process

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/ 

  2. Click on the bucket name you want to open. 

  3. Click on 'Permissions', then click on Delete in Bucket Policy.




Using AWS CLI

aws s3api delete-bucket-policy --bucket <bucket-name>

 

Reference:

s3api — AWS CLI 2.11.11 Command Reference 

How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data | AWS Security Blog